subject:"\[openstack\-dev\] How to single sign on with windows authentication with Keystone"

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-25 Thread Adam Young


On 05/25/2016 07:26 AM, OpenStack Mailing List Archive wrote:

Link: https://openstack.nimeyo.com/85057/?show=85707#c85707
From: imocha 

I am trying to follow the steps. I am able to install ADFS and would 
like to proceed further.


However, I am having issues with setting up SSL endpoints for Keystone 
V3. I am using Mitaka. Is there any step that I can use.


I am using packstack to install the Mitaka and wanted to enable SSL 
for the identity endpoints to work with ADFS for SAML2 flow.




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
We went through a proof of concept for this last summer (FreeIPA and 
Ipsilon, not ADFS)



https://github.com/admiyo/rippowam

Right now I'm working on updating for Keycloak instead of Ipsilon.

The SSL stuff I would like to recommend using Certmonger to manage, but 
I don't know how to tie that in with the ADFS CA. We do it using IPA's 
CA.  You can set up a trust between IPA and and AD, which might be your 
easiest path forward.


With a trust, the Keystone server would be registered as a host on the 
FreeIPA server, but would accept Kerberos tickets from ADFS.  If you 
want to completely federate the two, you can do so as well, and then you 
do not  need the trust, you just let ADFS issue SAML.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-25 Thread OpenStack Mailing List Archive


Link: https://openstack.nimeyo.com/85057/?show=85707#c85707
From: imocha 

I am trying to follow the steps. I am able to install ADFS and would like to proceed further.

However, I am having issues with setting up SSL endpoints for Keystone V3. I am using Mitaka. Is there any step that I can use. 

I am using packstack to install the Mitaka and wanted to enable SSL for the identity endpoints to work with ADFS for SAML2 flow.



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-20 Thread Kseniya Tychkova

Hi
I would like to share article Keystone and WebSSO: Using Active Directory
Federation Services with OpenStack Keystone

 (http://xuctarine.blogspot.ru/2016/05/keystone-and-websso-using-active.html
).
In this article you can find step-by-step manual for SSO on Windows with
Keystone.


On Fri, May 20, 2016 at 3:03 AM, Adam Young  wrote:

> On 05/19/2016 07:40 AM, Rodrigo Duarte wrote:
>
> Hi,
>
> So you are trying to use keystone to authorize your users, but want to
> avoid having to authenticate via keystone, right?
>
> Check if the Federated Identity feature [1] covers your use case.
>
> [1]
> http://docs.openstack.org/security-guide/identity/federated-keystone.html
>
> On Thu, May 19, 2016 at 8:27 AM, OpenStack Mailing List Archive <
> cor...@gmail.com> wrote:
>
>> Link: https://openstack.nimeyo.com/85057/?show=85057#q85057
>> From: imocha 
>>
>> I have to call the keystone APIs and want to use the windows
>> authentication using Active Directory. Keystone provides integration with
>> AD at the back end. To get the initial token to use OpenStack APIs, I need
>> to pass user name and password in the keystone token creation api.
>>
>> Since I am already logged on to my windows domain, is there any way that
>> I can get the token without passing the password in the api.
>>
> Yes, use SSSD and Mod_Lookup_Identity:
>
>
> https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/
>
>
>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Rodrigo Duarte Sousa
> Senior Quality Engineer @ Red Hat
> MSc in Computer Science
> http://rodrigods.com
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-19 Thread Adam Young


On 05/19/2016 07:40 AM, Rodrigo Duarte wrote:

Hi,

So you are trying to use keystone to authorize your users, but want to 
avoid having to authenticate via keystone, right?


Check if the Federated Identity feature [1] covers your use case.

[1] 
http://docs.openstack.org/security-guide/identity/federated-keystone.html


On Thu, May 19, 2016 at 8:27 AM, OpenStack Mailing List Archive 
> wrote:


Link: https://openstack.nimeyo.com/85057/?show=85057#q85057
From: imocha >

I have to call the keystone APIs and want to use the windows
authentication using Active Directory. Keystone provides
integration with AD at the back end. To get the initial token to
use OpenStack APIs, I need to pass user name and password in the
keystone token creation api.

Since I am already logged on to my windows domain, is there any
way that I can get the token without passing the password in the api.


Yes, use SSSD and Mod_Lookup_Identity:

https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Rodrigo Duarte Sousa
Senior Quality Engineer @ Red Hat
MSc in Computer Science
http://rodrigods.com 


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-19 Thread Rodrigo Duarte

Hi,

So you are trying to use keystone to authorize your users, but want to
avoid having to authenticate via keystone, right?

Check if the Federated Identity feature [1] covers your use case.

[1]
http://docs.openstack.org/security-guide/identity/federated-keystone.html

On Thu, May 19, 2016 at 8:27 AM, OpenStack Mailing List Archive <
cor...@gmail.com> wrote:

> Link: https://openstack.nimeyo.com/85057/?show=85057#q85057
> From: imocha 
>
> I have to call the keystone APIs and want to use the windows
> authentication using Active Directory. Keystone provides integration with
> AD at the back end. To get the initial token to use OpenStack APIs, I need
> to pass user name and password in the keystone token creation api.
>
> Since I am already logged on to my windows domain, is there any way that I
> can get the token without passing the password in the api.
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Rodrigo Duarte Sousa
Senior Quality Engineer @ Red Hat
MSc in Computer Science
http://rodrigods.com
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] How to single sign on with windows authentication with Keystone

2016-05-19 Thread OpenStack Mailing List Archive


Link: https://openstack.nimeyo.com/85057/?show=85057#q85057
From: imocha 

I have to call the keystone APIs and want to use the windows authentication using Active Directory. Keystone provides integration with AD at the back end. To get the initial token to use OpenStack APIs, I need to pass user name and password in the keystone token creation api. 

Since I am already logged on to my windows domain, is there any way that I can get the token without passing the password in the api.



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

Re: [openstack-dev] How to single sign on with windows authentication with Keystone

[openstack-dev] How to single sign on with windows authentication with Keystone

6 matches

Site Navigation

Mail list logo

Footer information